[Samba] Crash in 4.12.10 in

Peter Eriksson pen at lysator.liu.se
Tue Jan 26 12:04:43 UTC 2021 

It seems to be crashing in source3/passwd/lookup_sids.c line 1307:

>    switch (wbc_ids[num_not_cached].type) {

Due it trying to access outside the allocated data area…

(gdb) print num_not_cached
$23 = 68
(gdb) print num_sids
$24 = 245
(gdb) print wbc_ids[66]
$21 = {type = WBC_ID_TYPE_NOT_SPECIFIED, id = {uid = 0, gid = 0}}
(gdb) print wbc_ids[67]
$22 = {type = WBC_ID_TYPE_NOT_SPECIFIED, id = {uid = 48, gid = 48}}
(gdb) print wbc_ids[68]
Cannot access memory at address 0x81b339000

wbc_ids is talloc_array():n at line 1290, but unfortunately the num_not_cached variable is reused so I can’t in the core dump see how many entries actually was allocated there. I’ll recompile add a debugging assertion check to see what’s happening there.

The user that was connected to the smbd at the time of the crash is a member of some 90 AD groups, of which 24 has gidNumber set. Dunno if that’s relevant for this case but anyway.

I’ll try to do some more debugging.

https://bugzilla.samba.org/show_bug.cgi?id=14571 <https://bugzilla.samba.org/show_bug.cgi?id=14571>

- Peter



> On 11 Nov 2020, at 12:43, Andrew Walker via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:

> On Tue, Nov 10, 2020 at 5:01 PM Peter Eriksson via samba <
> samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> 
>> I just got an INTERNAL ERROR: Signal 11 in smbd (4.12.10) in something
>> that sids_to_unixids() in source3/winbindd/idmap_hash/idmap_has.c calls and
>> 3 levels down - unfortunately the stack trace doesn’t say what it is -
>> probably optimised into inline code or something.
>> 
>> Recently upgraded from Samba 4.12.5 to 4.12.10 (self-compiled). FreeBSD
>> 12.2
>> 
>> It happened right after 10 hours since that smbd processes started so the
>> 10 hours Kerberos ticket lifetime is probably involved somehow…
>> 
>> Nov 10 21:39:11 runur01 smbd_audit[23768]:    #3 sig_fault + 0x6c
>> [ip=0x80129a7a9] [sp=0x7fffffffcbb0]
>> Nov 10 21:39:11 runur01 smbd_audit[23768]:    #4 <unknown symbol>
>> [ip=0x801517b70] [sp=0x7fffffffcbc0]
>> Nov 10 21:39:12 runur01 smbd_audit[23768]:    #5 <unknown symbol>
>> [ip=0x80151713f] [sp=0x7fffffffcf80]
>> Nov 10 21:39:12 runur01 smbd_audit[23768]:    #6 <unknown symbol>
>> [ip=0x7ffffffff003] [sp=0x7fffffffcff0]
>> Nov 10 21:39:12 runur01 smbd_audit[23768]:    #7 sids_to_unixids + 0x25d
>> 
>> Unfortunately no core dump :-(
>> 
> You may need to run the command "sysctl kern.sugid_coredump=1" and also set
> kern.corefile to an appropriate path (for example /tmp/%N_%P.core -- this
> ensures program name and pid are in corefile name).  If possible compile
> without optimizations and with debugging symbols (this will improve
> visibility of error).
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>

More information about the samba mailing list